Apache web server can display the contents of a directory to users if there is no default index file, such as index.html. This is managed by the mod_autoindex module. However, exposing directory contents can be a security risk, as it might reveal sensitive files or the structure of your server.
Common default index files include:index.html, index.htm, index.php, and welcome.html. These can be configured in DirectoryIndex directive within the Apache configuration file.
To enhance security, it is advisable to disable directory listing in Apache. This can be achieved by disabling the mod_autoindex module, configuring the Options directive, or using an .htaccess file. Each method offers different levels of control depending on your server setup and security needs.
Disabling directory listing ensures that users cannot see the contents of directories on your server. This reduces the risk of unauthorized access to files and improves overall security.
Methods to disable directory listing in Apache:
For those using platforms like cPanel, there are platform-specific methods to disable Apache's directory listing.
Disable Apache directory listing by disabling autoindex module
To disable directory listing globally across all sites hosted on your server, deactivate the mod_autoindex module. This method ensures that no directory listings are displayed, regardless of the directory or site.
- Launch your preferred terminal application.
- Disable autoindex module for Apache.
$ sudo a2dismod --force autoindex # Ubuntu, Debian and SUSE Module autoindex disabled. To activate the new configuration, you need to run: systemctl restart apache2
- Distributions with a2dismod support can simply run the command above without having to manually disable the required modules.
- LoadModule directive for the corresponding autoindex module need to be manually disabled by removing or commenting (by adding # at the beginning) the line in the configuration file.
Options Debian, Ubuntu openSUSE and SLES Fedora Core, CentOS, RHEL macOS homebrew xampp a2dismod support yes yes no no no no Modules to uninstall none Module name n/a autoindex Loadmodule directive n/a #LoadModule autoindex_module <module_locations>/mod_autoindex.so - Restart Apache for the changes to take effect.
Disable Apache directory listing via Directory's Options directive
To disable directory listing for specific directories, modify the Options directive in the Apache configuration file. This method allows more granular control over which directories have directory listing disabled.
- Open Apache's configuration file using your preferred text editor.
$ sudo vi /etc/apache2/other/mysite.conf
The configuration could be set globally or from within VirtualHost configuration.
- Find the Options line within the Directory blockock.
<Directory /var/www/mysite> Options Indexes FollowSymLinks </Directory>
- Remove Indexes option or add -Indexes to Options directive.
<Directory /var/www/mysite> Options -Indexes FollowSymLinks </Directory>
Notice that it's -Indexes and not +Indexes
- Save and exit the editor
- Restart the Apache service to apply changes.
Disable Apache directory listing using .htaccess
If you lack root access or prefer to control directory listing for specific directories, use the .htaccess file. This method is ideal for shared hosting environments where you want to restrict directory listings without affecting other sites.
- Navigate to the directory where you want to disable directory listing.
- Open or create .htaccess file on the directory using your preferred text editor.
$ sudo vi /var/www/mysite/.htaccess
- Add -Indexes to Options directive in the .htaccess file.
Options -Indexes
Ensure that the Apache configuration allows the use of .htaccess files by checking the AllowOverride directive is set to All or at least Options for the relevant directory.
- Save and exit the editor.
- Restart Apache to apply the changes.
$ sudo systemctl restart apache2
Mohd Shakir Zakaria is an experienced cloud architect with a strong development and open-source advocacy background. He boasts multiple certifications in AWS, Red Hat, VMware, ITIL, and Linux, underscoring his expertise in cloud architecture and system administration.
Comment anonymously. Login not required.